Changeset 196283 in webkit
- Timestamp:
- Feb 8, 2016 5:26:56 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 30 added
- 23 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r196274 r196283 1 2016-02-08 Daniel Bates <dabates@apple.com> 2 3 CSP connect-src directive should block redirects 4 https://bugs.webkit.org/show_bug.cgi?id=69359 5 <rdar://problem/24383025> 6 7 Reviewed by Brent Fulgham. 8 9 Add more tests, update erroneous expected results, and remove some entries from TestExpectations for tests 10 that now pass. 11 12 * TestExpectations: Remove entries for tests that now pass. The failure of test http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html 13 was erroneously attributed to <https://bugs.webkit.org/show_bug.cgi?id=153562>. 14 * http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php: Added. 15 * http/tests/security/contentSecurityPolicy/resources/script-set-value.js: Use global variable self instead of window so as to 16 make this script work both from a Document and a Web Worker. In a document, self refers to the Window object and in a worker 17 it refers to the WorkerGlobalScope object. 18 * http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php: Added. 19 * http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php: Added. 20 * http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php: Added. 21 * http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php: Added. 22 * http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php: Added. 23 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt: Remove Blink-specific messages so that the test passes. 24 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt: Added. 25 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html: Added. 26 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt: Added. 27 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html: Added. 28 * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added. 29 * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html: Added. 30 * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt: Added. 31 * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html: Added. 32 * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt: Added. 33 * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html: Added. 34 * http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt: Substitute Blink-specific error text with the analogous WebKit error text. 35 * http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html: Ditto. 36 * http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt: Added. 37 * http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html: Added. 38 * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt: Added. 39 * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html: Added. 40 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt: Added. 41 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html: Added. 42 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt: Added. 43 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt: Added. 44 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt: Added. 45 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html: Added. 46 * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt: Added. 47 * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt: Added. 48 * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html: Added. 49 * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html: Added. 50 1 51 2016-02-08 Yusuke Suzuki <utatane.tea@gmail.com> 2 52 -
trunk/LayoutTests/TestExpectations
r196268 r196283 793 793 794 794 # Content Security Policy failures 795 webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked.html [ Failure ]796 webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked.html [ Failure ]797 webkit.org/b/69359 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html [ Failure ]798 795 webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html 799 796 webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ] … … 834 831 webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ] 835 832 webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ] 836 webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html [ Failure ]837 833 webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ] 838 834 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ] -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/script-set-value.js
r195367 r196283 1 window.result = true;1 self.result = true; -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt
r195367 r196283 1 1 CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' http://127.0.0.1:8000". 2 2 3 This is a testharness.js-based test. 3 4 4 PASS Blob worker inherits CSP 5 Harness: the test ran to completion.6 5 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt
r195367 r196283 1 1 CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000". 2 2 3 PASS result is "importScripts blocked: NetworkError: Failed to execute 'importScripts' on 'WorkerGlobalScope': The script at 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' failed to load."3 PASS result is "importScripts blocked: Error: NetworkError: DOM Exception 19" 4 4 PASS successfullyParsed is true 5 5 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html
r195367 r196283 16 16 worker.onmessage = function (event) { 17 17 result = event.data; 18 shouldBeEqualToString('result', 'importScripts blocked: NetworkError: Failed to execute \'importScripts\' on \'WorkerGlobalScope\': The script at \'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js\' failed to load.');18 shouldBeEqualToString('result', 'importScripts blocked: Error: NetworkError: DOM Exception 19'); 19 19 finishJSTest(); 20 20 }; -
trunk/Source/WebCore/ChangeLog
r196282 r196283 1 2016-02-08 Daniel Bates <dabates@apple.com> 2 3 CSP connect-src directive should block redirects 4 https://bugs.webkit.org/show_bug.cgi?id=69359 5 <rdar://problem/24383025> 6 7 Reviewed by Brent Fulgham. 8 9 Inspired by Blink patch: 10 <https://src.chromium.org/viewvc/blink?revision=150246&view=revision> 11 12 Apply the connect-src directive of the Content Security Policy for the document or worker to the redirect URL 13 of an XMLHttpRequest and EventSource load so as to conform to section Paths and Redirects of the CSP 2.0 spec., 14 <https://w3c.github.io/webappsec-csp/2/#source-list-paths-and-redirects> (29 August 2015). 15 16 Additionally, check that each requested script URL passed to WorkerGlobalScope.importScripts() is allowed by 17 the CSP of the worker before initiating a load for it. If some URL i is blocked by the CSP policy 18 then we do not try to load URLs j >= i. 19 20 Tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html 21 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html 22 http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html 23 http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html 24 http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html 25 http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html 26 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html 27 http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html 28 http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html 29 http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html 30 http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html 31 32 * fileapi/FileReaderLoader.cpp: 33 (WebCore::FileReaderLoader::start): Do not enforce a CSP directive as CSP is not applicable to File API. 34 * inspector/InspectorNetworkAgent.cpp: 35 (WebCore::InspectorNetworkAgent::loadResource): Do not enforce a CSP directive as CSP should not interfere 36 with the Web Inspector. 37 * loader/DocumentThreadableLoader.cpp: 38 (WebCore::DocumentThreadableLoader::loadResourceSynchronously): Modified to take an optional ContentSecurityPolicy 39 and pass it through to DocumentThreadableLoader::create(). 40 (WebCore::DocumentThreadableLoader::create): Modified to take an optional ContentSecurityPolicy and pass it through 41 to DocumentThreadableLoader::DocumentThreadableLoader(). 42 (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Modified to take an optional ContentSecurityPolicy. 43 Asserts that the CSP allows the load of the request URL so as to catch when a caller creates a loader for a request 44 that is not allowed by the CSP. The caller should not create a loader for such a request. 45 (WebCore::DocumentThreadableLoader::redirectReceived): Check if the CSP allows the redirect URL. If it does not 46 then notify the client that the redirect check failed. 47 (WebCore::DocumentThreadableLoader::loadRequest): Ditto. 48 (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Checks that the specified URL is allowed 49 by the enforced CSP directive. 50 (WebCore::DocumentThreadableLoader::contentSecurityPolicy): Returns the ContentSecurityPolicy object passed to 51 DocumentThreadableLoader on instantiation or the ContentSecurityPolicy object of the associated document. 52 * loader/DocumentThreadableLoader.h: Add overloaded variants of DocumentThreadableLoader::{create, loadResourceSynchronously}() 53 that take a std::unique_ptr<ContentSecurityPolicy>&&. Remove some unnecessary headers. 54 * loader/ThreadableLoader.cpp: 55 (WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Take the CSP directive to enforce and store it. 56 (WebCore::ThreadableLoaderOptions::isolatedCopy): Copy the CSP directive to enforce. 57 * loader/ThreadableLoader.h: Added member field to store the CSP directive to enforce (defaults to enforce the 58 directive connect-src - the most appropriate directive in most circumstances). As of the time of writing, 59 only WorkerGlobalScope.importScripts() enforces a different directive: script-src. 60 * loader/WorkerThreadableLoader.cpp: 61 (WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Pass the SecurityOrigin and ContentSecurityPolicy associated 62 with the WorkerGlobalScope to WorkerThreadableLoader::MainThreadBridge::MainThreadBridge(). 63 (WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Pass a copy of the worker's ContentSecurityPolicy 64 to the DocumentThreadableLoader. 65 * loader/WorkerThreadableLoader.h: 66 * page/EventSource.cpp: 67 (WebCore::EventSource::connect): Enforce the CSP directive connect-src on redirects unless we are running in an isolated world. 68 * workers/AbstractWorker.cpp: 69 (WebCore::AbstractWorker::resolveURL): Modified to take a boolean whether to bypass the main world Content Security Policy 70 instead of querying for it directly. 71 * workers/AbstractWorker.h: 72 * workers/Worker.cpp: 73 (WebCore::Worker::create): Added FIXME to enforce child-src directive of the document's CSP to the worker's script URL 74 on redirect once we fix <https://bugs.webkit.org/show_bug.cgi?id=153562>. For now, do not enforce a CSP policy on redirect 75 of the worker's script URL. 76 * workers/WorkerGlobalScope.cpp: 77 (WebCore::WorkerGlobalScope::importScripts): Check that the requested URL is allowed by the CSP of the worker (if applicable). 78 Enforce the CSP directive script-src on redirects unless we are running in an isolated world. 79 * workers/WorkerScriptLoader.cpp: 80 (WebCore::WorkerScriptLoader::loadSynchronously): Pass SecurityOrigin and ContentSecurityPolicyEnforcement to WorkerThreadableLoader. 81 (WebCore::WorkerScriptLoader::loadAsynchronously): Ditto. 82 * workers/WorkerScriptLoader.h: 83 * xml/XMLHttpRequest.cpp: 84 (WebCore::XMLHttpRequest::createRequest): Enforce the CSP directive connect-src on redirects unless we are running in 85 an isolated world. 86 1 87 2016-02-08 Antti Koivisto <antti@apple.com> 2 88 -
trunk/Source/WebCore/fileapi/FileReaderLoader.cpp
r189485 r196283 98 98 options.setAllowCredentials(AllowStoredCredentials); 99 99 options.crossOriginRequestPolicy = DenyCrossOriginRequests; 100 options.contentSecurityPolicyEnforcement = ContentSecurityPolicyEnforcement::DoNotEnforce; 100 101 101 102 if (m_client) -
trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp
r194496 r196283 680 680 options.setDefersLoadingPolicy(DefersLoadingPolicy::DisallowDefersLoading); // So the request is never deferred. 681 681 options.crossOriginRequestPolicy = AllowCrossOriginRequests; 682 options.contentSecurityPolicyEnforcement = ContentSecurityPolicyEnforcement::DoNotEnforce; 682 683 683 684 // InspectorThreadableLoaderClient deletes itself when the load completes. -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r195010 r196283 36 36 #include "CachedResourceRequest.h" 37 37 #include "CachedResourceRequestInitiators.h" 38 #include "ContentSecurityPolicy.h" 38 39 #include "CrossOriginAccessControl.h" 39 40 #include "CrossOriginPreflightResultCache.h" … … 54 55 namespace WebCore { 55 56 57 void DocumentThreadableLoader::loadResourceSynchronously(Document& document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy) 58 { 59 // The loader will be deleted as soon as this function exits. 60 RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadSynchronously, request, options, WTFMove(contentSecurityPolicy))); 61 ASSERT(loader->hasOneRef()); 62 } 63 56 64 void DocumentThreadableLoader::loadResourceSynchronously(Document& document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options) 57 65 { 58 // The loader will be deleted as soon as this function exits. 59 RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadSynchronously, request, options)); 60 ASSERT(loader->hasOneRef()); 61 } 62 63 PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, const ResourceRequest& request, const ThreadableLoaderOptions& options) 64 { 65 RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadAsynchronously, request, options)); 66 loadResourceSynchronously(document, request, client, options, nullptr); 67 } 68 69 PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, const ResourceRequest& request, const ThreadableLoaderOptions& options, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy) 70 { 71 RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadAsynchronously, request, options, WTFMove(contentSecurityPolicy))); 66 72 if (!loader->m_resource) 67 73 loader = nullptr; … … 69 75 } 70 76 71 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options) 77 PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, const ResourceRequest& request, const ThreadableLoaderOptions& options) 78 { 79 return DocumentThreadableLoader::create(document, client, request, options, nullptr); 80 } 81 82 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy) 72 83 : m_client(&client) 73 84 , m_document(document) … … 76 87 , m_simpleRequest(true) 77 88 , m_async(blockingBehavior == LoadAsynchronously) 89 , m_contentSecurityPolicy(WTFMove(contentSecurityPolicy)) 78 90 { 79 91 // Setting an outgoing referer is only supported in the async code path. 80 92 ASSERT(m_async || request.httpReferrer().isEmpty()); 93 94 ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url())); 81 95 82 96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) { … … 178 192 179 193 Ref<DocumentThreadableLoader> protect(*this); 194 if (!isAllowedByContentSecurityPolicy(request.url())) { 195 m_client->didFailRedirectCheck(); 196 request = ResourceRequest(); 197 return; 198 } 199 180 200 // Allow same origin requests to continue after allowing clients to audit the redirect. 181 201 if (isAllowedRedirect(request.url())) … … 407 427 // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was 408 428 // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials. 409 if (requestURL != response.url() && !isAllowedRedirect(response.url())) {429 if (requestURL != response.url() && (!isAllowedByContentSecurityPolicy(response.url()) || !isAllowedRedirect(response.url()))) { 410 430 m_client->didFailRedirectCheck(); 411 431 return; … … 419 439 } 420 440 441 bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url) 442 { 443 switch (m_options.contentSecurityPolicyEnforcement) { 444 case ContentSecurityPolicyEnforcement::DoNotEnforce: 445 return true; 446 case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective: 447 return contentSecurityPolicy().allowConnectToSource(url, false); // Do not override policy 448 case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective: 449 return contentSecurityPolicy().allowScriptFromSource(url, false); // Do not override policy 450 } 451 ASSERT_NOT_REACHED(); 452 return false; 453 } 454 421 455 bool DocumentThreadableLoader::isAllowedRedirect(const URL& url) 422 456 { … … 437 471 } 438 472 473 const ContentSecurityPolicy& DocumentThreadableLoader::contentSecurityPolicy() const 474 { 475 if (m_contentSecurityPolicy) 476 return *m_contentSecurityPolicy.get(); 477 ASSERT(m_document.contentSecurityPolicy()); 478 return *m_document.contentSecurityPolicy(); 479 } 480 439 481 } // namespace WebCore -
trunk/Source/WebCore/loader/DocumentThreadableLoader.h
r194419 r196283 34 34 #include "CachedRawResourceClient.h" 35 35 #include "CachedResourceHandle.h" 36 #include "FrameLoaderTypes.h"37 36 #include "ThreadableLoader.h" 38 #include <wtf/Forward.h>39 37 #include <wtf/PassRefPtr.h> 40 38 #include <wtf/RefCounted.h> 41 #include <wtf/RefPtr.h>42 #include <wtf/text/WTFString.h>43 39 44 40 namespace WebCore { 45 41 class CachedRawResource; 42 class ContentSecurityPolicy; 46 43 class Document; 47 44 class URL; … … 53 50 WTF_MAKE_FAST_ALLOCATED; 54 51 public: 52 static void loadResourceSynchronously(Document&, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&, std::unique_ptr<ContentSecurityPolicy>&&); 55 53 static void loadResourceSynchronously(Document&, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&); 54 55 static PassRefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, const ResourceRequest&, const ThreadableLoaderOptions&, std::unique_ptr<ContentSecurityPolicy>&&); 56 56 static PassRefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, const ResourceRequest&, const ThreadableLoaderOptions&); 57 57 58 virtual ~DocumentThreadableLoader(); 58 59 … … 73 74 }; 74 75 75 DocumentThreadableLoader(Document&, ThreadableLoaderClient&, BlockingBehavior, const ResourceRequest&, const ThreadableLoaderOptions& );76 DocumentThreadableLoader(Document&, ThreadableLoaderClient&, BlockingBehavior, const ResourceRequest&, const ThreadableLoaderOptions&, std::unique_ptr<ContentSecurityPolicy>&&); 76 77 77 78 void clearResource(); … … 96 97 void loadRequest(const ResourceRequest&, SecurityCheckPolicy); 97 98 bool isAllowedRedirect(const URL&); 99 bool isAllowedByContentSecurityPolicy(const URL&); 98 100 99 101 bool isXMLHttpRequest() const override final; 100 102 101 103 SecurityOrigin* securityOrigin() const; 104 const ContentSecurityPolicy& contentSecurityPolicy() const; 102 105 103 106 CachedResourceHandle<CachedRawResource> m_resource; … … 109 112 bool m_async; 110 113 std::unique_ptr<ResourceRequest> m_actualRequest; // non-null during Access Control preflight checks 114 std::unique_ptr<ContentSecurityPolicy> m_contentSecurityPolicy; 111 115 }; 112 116 -
trunk/Source/WebCore/loader/ThreadableLoader.cpp
r194496 r196283 52 52 } 53 53 54 ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, CrossOriginRequestPolicy crossOriginRequestPolicy, RefPtr<SecurityOrigin>&& securityOrigin, String&& initiator)54 ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, CrossOriginRequestPolicy crossOriginRequestPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, RefPtr<SecurityOrigin>&& securityOrigin, String&& initiator) 55 55 : ResourceLoaderOptions(baseOptions) 56 56 , preflightPolicy(preflightPolicy) 57 57 , crossOriginRequestPolicy(crossOriginRequestPolicy) 58 , contentSecurityPolicyEnforcement(contentSecurityPolicyEnforcement) 58 59 , securityOrigin(WTFMove(securityOrigin)) 59 60 , initiator(WTFMove(initiator)) … … 66 67 if (securityOrigin) 67 68 securityOriginCopy = securityOrigin->isolatedCopy(); 68 return std::make_unique<ThreadableLoaderOptions>(*this, preflightPolicy, crossOriginRequestPolicy, 69 WTFMove(securityOriginCopy), initiator.isolatedCopy()); 69 return std::make_unique<ThreadableLoaderOptions>(*this, preflightPolicy, crossOriginRequestPolicy, contentSecurityPolicyEnforcement, WTFMove(securityOriginCopy), initiator.isolatedCopy()); 70 70 } 71 71 -
trunk/Source/WebCore/loader/ThreadableLoader.h
r186592 r196283 60 60 }; 61 61 62 enum class ContentSecurityPolicyEnforcement { 63 DoNotEnforce, 64 EnforceConnectSrcDirective, 65 EnforceScriptSrcDirective, 66 }; 67 62 68 struct ThreadableLoaderOptions : ResourceLoaderOptions { 63 69 ThreadableLoaderOptions(); 64 ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, CrossOriginRequestPolicy, RefPtr<SecurityOrigin>&&, String&& initiator);70 ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, CrossOriginRequestPolicy, ContentSecurityPolicyEnforcement, RefPtr<SecurityOrigin>&&, String&& initiator); 65 71 ~ThreadableLoaderOptions(); 66 72 … … 69 75 PreflightPolicy preflightPolicy; // If AccessControl is used, how to determine if a preflight is needed. 70 76 CrossOriginRequestPolicy crossOriginRequestPolicy; 77 ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement { ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective }; 71 78 RefPtr<SecurityOrigin> securityOrigin; 72 79 String initiator; // This cannot be an AtomicString, as isolatedCopy() wouldn't create an object that's safe for passing to another thread. -
trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp
r194419 r196283 32 32 #include "WorkerThreadableLoader.h" 33 33 34 #include "ContentSecurityPolicy.h" 34 35 #include "Document.h" 35 36 #include "DocumentThreadableLoader.h" … … 52 53 : m_workerGlobalScope(workerGlobalScope) 53 54 , m_workerClientWrapper(ThreadableLoaderClientWrapper::create(client)) 54 , m_bridge(*(new MainThreadBridge(m_workerClientWrapper, m_workerGlobalScope->thread().workerLoaderProxy(), taskMode, request, options, workerGlobalScope->url().strippedForUseAsReferrer())))55 , m_bridge(*(new MainThreadBridge(m_workerClientWrapper, workerGlobalScope->thread().workerLoaderProxy(), taskMode, request, options, workerGlobalScope->url().strippedForUseAsReferrer(), workerGlobalScope->securityOrigin(), workerGlobalScope->contentSecurityPolicy()))) 55 56 { 56 57 } … … 84 85 85 86 WorkerThreadableLoader::MainThreadBridge::MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper> workerClientWrapper, WorkerLoaderProxy& loaderProxy, const String& taskMode, 86 const ResourceRequest& request, const ThreadableLoaderOptions& options, const String& outgoingReferrer) 87 const ResourceRequest& request, const ThreadableLoaderOptions& options, const String& outgoingReferrer, 88 const SecurityOrigin* securityOrigin, const ContentSecurityPolicy* contentSecurityPolicy) 87 89 : m_workerClientWrapper(workerClientWrapper) 88 90 , m_loaderProxy(loaderProxy) … … 93 95 auto* requestData = request.copyData().release(); 94 96 auto* optionsCopy = options.isolatedCopy().release(); 97 98 ASSERT(securityOrigin); 99 ASSERT(contentSecurityPolicy); 100 auto* contentSecurityPolicyCopy = std::make_unique<ContentSecurityPolicy>(*securityOrigin).release(); 101 contentSecurityPolicyCopy->copyStateFrom(contentSecurityPolicy); 102 95 103 StringCapture capturedOutgoingReferrer(outgoingReferrer); 96 m_loaderProxy.postTaskToLoader([this, requestData, optionsCopy, c apturedOutgoingReferrer](ScriptExecutionContext& context) {104 m_loaderProxy.postTaskToLoader([this, requestData, optionsCopy, contentSecurityPolicyCopy, capturedOutgoingReferrer](ScriptExecutionContext& context) { 97 105 ASSERT(isMainThread()); 98 106 Document& document = downcast<Document>(context); … … 106 114 // will return a 0 value. Either this should return 0 or the other code path should do a callback with 107 115 // a failure. 108 m_mainThreadLoader = DocumentThreadableLoader::create(document, *this, *request, *options );116 m_mainThreadLoader = DocumentThreadableLoader::create(document, *this, *request, *options, std::unique_ptr<ContentSecurityPolicy>(contentSecurityPolicyCopy)); 109 117 ASSERT(m_mainThreadLoader); 110 118 }); -
trunk/Source/WebCore/loader/WorkerThreadableLoader.h
r177733 r196283 44 44 namespace WebCore { 45 45 46 class ContentSecurityPolicy; 46 47 class ResourceError; 47 48 class ResourceRequest; … … 95 96 public: 96 97 // All executed on the worker context's thread. 97 MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper>, WorkerLoaderProxy&, const String& taskMode, const ResourceRequest&, const ThreadableLoaderOptions&, const String& outgoingReferrer );98 MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper>, WorkerLoaderProxy&, const String& taskMode, const ResourceRequest&, const ThreadableLoaderOptions&, const String& outgoingReferrer, const SecurityOrigin*, const ContentSecurityPolicy*); 98 99 void cancel(); 99 100 void destroy(); -
trunk/Source/WebCore/page/EventSource.cpp
r196242 r196283 130 130 options.setDataBufferingPolicy(DoNotBufferData); 131 131 options.securityOrigin = origin; 132 options.contentSecurityPolicyEnforcement = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective; 132 133 133 134 m_loader = ThreadableLoader::create(scriptExecutionContext(), this, request, options); -
trunk/Source/WebCore/workers/AbstractWorker.cpp
r196242 r196283 44 44 } 45 45 46 URL AbstractWorker::resolveURL(const String& url, ExceptionCode& ec)46 URL AbstractWorker::resolveURL(const String& url, bool shouldBypassMainWorldContentSecurityPolicy, ExceptionCode& ec) 47 47 { 48 48 if (url.isEmpty()) { … … 66 66 // See <https://bugs.webkit.org/show_bug.cgi?id=153562>. 67 67 ASSERT(scriptExecutionContext()->contentSecurityPolicy()); 68 if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, s criptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {68 if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) { 69 69 ec = SECURITY_ERR; 70 70 return URL(); -
trunk/Source/WebCore/workers/AbstractWorker.h
r181169 r196283 55 55 56 56 // Helper function that converts a URL to an absolute URL and checks the result for validity. 57 URL resolveURL(const String& url, ExceptionCode& ec);57 URL resolveURL(const String& url, bool shouldBypassMainWorldContentSecurityPolicy, ExceptionCode&); 58 58 intptr_t asID() const { return reinterpret_cast<intptr_t>(this); } 59 59 -
trunk/Source/WebCore/workers/Worker.cpp
r196242 r196283 84 84 worker->suspendIfNeeded(); 85 85 86 URL scriptURL = worker->resolveURL(url, ec); 86 bool shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy(); 87 URL scriptURL = worker->resolveURL(url, shouldBypassMainWorldContentSecurityPolicy, ec); 87 88 if (scriptURL.isEmpty()) 88 89 return nullptr; 89 90 90 worker->m_shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();91 worker->m_shouldBypassMainWorldContentSecurityPolicy = shouldBypassMainWorldContentSecurityPolicy; 91 92 92 93 // The worker context does not exist while loading, so we must ensure that the worker object is not collected, nor are its event listeners. … … 94 95 95 96 worker->m_scriptLoader = WorkerScriptLoader::create(); 96 worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, worker.ptr());97 97 // FIXME: Enforce Content Security Policy child-src directive when shouldBypassMainWorldContentSecurityPolicy is false. See <https://bugs.webkit.org/show_bug.cgi?id=153562>. 98 worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, ContentSecurityPolicyEnforcement::DoNotEnforce, worker.ptr()); 98 99 return WTFMove(worker); 99 100 } -
trunk/Source/WebCore/workers/WorkerGlobalScope.cpp
r196242 r196283 184 184 185 185 for (auto& url : completedURLs) { 186 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. 187 bool shouldBypassMainWorldContentSecurityPolicy = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy(); 188 if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(url, shouldBypassMainWorldContentSecurityPolicy)) { 189 ec = NETWORK_ERR; 190 return; 191 } 192 186 193 Ref<WorkerScriptLoader> scriptLoader = WorkerScriptLoader::create(); 187 scriptLoader->loadSynchronously(scriptExecutionContext(), url, AllowCrossOriginRequests );194 scriptLoader->loadSynchronously(scriptExecutionContext(), url, AllowCrossOriginRequests, shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective); 188 195 189 196 // If the fetching attempt failed, throw a NETWORK_ERR exception and abort all these steps. -
trunk/Source/WebCore/workers/WorkerScriptLoader.cpp
r194428 r196283 30 30 #include "WorkerScriptLoader.h" 31 31 32 #include "ContentSecurityPolicy.h" 32 33 #include "ResourceResponse.h" 33 34 #include "ScriptExecutionContext.h" … … 54 55 } 55 56 56 void WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy )57 void WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement) 57 58 { 58 59 m_url = url; … … 68 69 options.crossOriginRequestPolicy = crossOriginRequestPolicy; 69 70 options.setSendLoadCallbacks(SendCallbacks); 71 options.securityOrigin = scriptExecutionContext->securityOrigin(); 72 options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement; 70 73 71 74 WorkerThreadableLoader::loadResourceSynchronously(downcast<WorkerGlobalScope>(scriptExecutionContext), *request, *this, options); 72 75 } 73 76 74 void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy, WorkerScriptLoaderClient* client)77 void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, WorkerScriptLoaderClient* client) 75 78 { 76 79 ASSERT(client); … … 86 89 options.crossOriginRequestPolicy = crossOriginRequestPolicy; 87 90 options.setSendLoadCallbacks(SendCallbacks); 91 options.securityOrigin = scriptExecutionContext->securityOrigin(); 92 options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement; 88 93 89 94 // During create, callbacks may happen which remove the last reference to this object. -
trunk/Source/WebCore/workers/WorkerScriptLoader.h
r177733 r196283 55 55 } 56 56 57 void loadSynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy );58 void loadAsynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy, WorkerScriptLoaderClient*);57 void loadSynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy, ContentSecurityPolicyEnforcement); 58 void loadAsynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy, ContentSecurityPolicyEnforcement, WorkerScriptLoaderClient*); 59 59 60 60 void notifyError(); -
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
r196242 r196283 756 756 options.crossOriginRequestPolicy = UseAccessControl; 757 757 options.securityOrigin = securityOrigin(); 758 options.contentSecurityPolicyEnforcement = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective; 758 759 options.initiator = cachedResourceRequestInitiators().xmlhttprequest; 759 760
Note: See TracChangeset
for help on using the changeset viewer.